Internet and Intranet Fundamentals Class 9 Session A
Topics Firewalls (continued)
Firewalls (Continued) Bastion Hosts Packet Filtering
Bastion Hosts Public Presence on the Internet The “Lobby” Analogy Public Exposure Implies Increased Security Requirements –focus special attention on building a Bastion host –host security some principles apply to other hosts as well
Bastion Hosts Various Types Non-routing Dual-homed Hosts –make sure they are non-routing! Victim Machines –sacrificial goat –don’t let users put valuables on them Internal, semi-Bastion Hosts –inside the firewall –communicate with external bastion
Bastion Hosts General Design Guidelines Minimize the Number of Services Provided –keep it simple, scholar –server software may have bugs that can be exploited Expect Bastion Host to be Compromised –expect the worst and plan for it –most likely to be attacked –bastion host considered untrusted host
Bastion Hosts What Platform? –Unix, NT, etc. ? Criteria –your experience –firewall tools availability Class of Machine –minimal –not a supercomputer –RAM more important than CPU
Bastion Hosts Location Physical Location –safe Network Location –preferably on a perimeter network –or a network not susceptible to spoofing ATM, Ethernet switch
Bastion Host Services Proxy and Relay Services –HTTP Proxy –SMTP Server –NNTP Server –FTP Server Public Services –HTTP –SMTP
Bastion Hosts Construction Steps Secure the Machine –start with minimal, clean operating system –fix all known system bugs –use a security checklist –safeguard the system logs requires lots of logging
Bastion Hosts Construction Steps Disable Non-required Services Install or Modify Services Reconfigure Machine from Development to Deployment Perform Security Audit Connect Machine to Network
Packet Filtering Topics What is it? Advantages and Disadvantages Configuring a Packet Filtering Router Various Kinds of Filtering
Packet Filtering What is it? Selectively reject IP packets based on: –source address –destination address –incoming physical port –tcp application port
Packet Filtering Advantages and Disadvantages Advantages –one router protects an entire network –doesn’t require user knowledge or cooperation –widely available Disadvantages –current filtering tools not perfect can be hard to configure, test, and maintain may have bugs –some protocols don’t lend themselves to filtering
Packet Filtering Configuring a PF Router Protocols Bidirectional Inbound vs. Outbound Semantics –packets vs. services –think “packets” Default Security Policy –permit or deny? Returning ICMP Error Codes –destination unreachable, for example
Various Kinds of Filtering Rules –Direction –Source Address –Destination Address –ACK Set –Action
Various Kinds of Filtering Rules
Various Kinds of Filtering Risks of Address Filtering Address Forgery –source does not hope to get any packets back –man-in-the-middle must intercept return packets must alter network topology to get in the middle
Various Kinds of Filtering Filtering by Service More Complicated TELNET –outgoing local host’s IP source address remote host’s IP destination address TCP packet type TCP destination port is 23 content: your keystrokes
Various Kinds of Filtering Filtering by Service TELNET –incoming remote host’s IP source address local host’s IP destination address TCP packet type TCP source port is 23 TCP destination port is same as prior source port ACK set
Various Kinds of Filtering Filtering by Service TELNET –Rules permit output on port 23 permit inbound on port 23 if ACK is set deny both outbound and inbound for everything else –default rule Risks –some other service on port 23?